From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.259.1579129064949551733 for ; Wed, 15 Jan 2020 14:57:45 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: amol.n.sukerkar@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jan 2020 14:57:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,323,1574150400"; d="scan'208";a="373083419" Received: from ansukerk-mobl1.amr.corp.intel.com ([10.78.16.116]) by orsmga004.jf.intel.com with ESMTP; 15 Jan 2020 14:57:43 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, jiewen.yao@intel.com, jian.j.wang@intel.com, sachin.agrawal@intel.com, srinivas.musti@intel.com, subash.lakkimsetti@intel.com Subject: [PATCH v3 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Date: Wed, 15 Jan 2020 15:57:30 -0700 Message-Id: <20200115225730.1330-2-amol.n.sukerkar@intel.com> X-Mailer: git-send-email 2.24.1.windows.2 In-Reply-To: <20200115225730.1330-1-amol.n.sukerkar@intel.com> References: <20200115225730.1330-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable This commit introduces a Unified Hash API to calculate hash using a hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256, SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the desired hash by setting PcdSystemHashPolicy to appropriate value. Cc: Jiewen Yao Cc: Jian J Wang Cc: Michael D Kinney Signed-off-by: Sukerkar, Amol N --- Notes: v2: - Fixed the commit message format =20=20=20=20 V3: - Changed design to use global array instead of switch..case - Removed unused constructors - Removed trailing white spaces SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 151 ++++++++++++++++= ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 +++++++++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 103 +++++++++++++ SecurityPkg/Include/Library/BaseHashLib.h | 85 +++++++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 141 ++++++++++++++++= ++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 46 ++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 +++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 51 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 +++ SecurityPkg/SecurityPkg.dec | 23 ++- SecurityPkg/SecurityPkg.dsc | 10 +- SecurityPkg/SecurityPkg.uni | 15 +- 12 files changed, 755 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c b/Security= Pkg/Library/BaseHashLib/BaseHashLibCommon.c new file mode 100644 index 000000000000..999fea3fed9e --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c @@ -0,0 +1,151 @@ +/** @file=0D + Implement image verification services for secure boot service=0D +=0D + Caution: This file requires additional review when modified.=0D + This library will have external input - PE/COFF image.=0D + This external input must be validated carefully to avoid security issue = like=0D + buffer overflow, integer overflow.=0D +=0D + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content=0D + read is within the image buffer.=0D +=0D + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept=0D + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use.=0D +=0D +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
=0D +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
=0D +This program and the accompanying materials=0D +are licensed and made available under the terms and conditions of the BSD = License=0D +which accompanies this distribution. The full text of the license may be = found at=0D +http://opensource.org/licenses/bsd-license.php=0D +=0D +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=0D +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED.=0D +=0D +**/=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include "BaseHashLibCommon.h"=0D +=0D +STATIC CONST HASH_API_INTERFACE mHashApi [] =3D {=0D + {NULL, NULL, NULL, NULL},=0D + {Md4GetContextSize, Md4Init, Md4Update, Md4Final, MD4_DIGE= ST_SIZE},=0D + {Md5GetContextSize, Md5Init, Md5Update, Md5Final, MD5_DIGE= ST_SIZE},=0D + {Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final, SHA1_DIG= EST_SIZE},=0D + {Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, SHA256_D= IGEST_SIZE},=0D + {Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, SHA384_D= IGEST_SIZE},=0D + {Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, SHA512_D= IGEST_SIZE},=0D + {Sm3GetContextSize, Sm3Init, Sm3Update, Sm3Final, SM3_256_= DIGEST_SIZE}=0D +};=0D +=0D +/**=0D + Init hash sequence with Hash Algorithm specified by HashPolicy.=0D +=0D + @param HashPolicy Hash Algorithm Policy.=0D + @param HashHandle Hash handle.=0D +=0D + @retval TRUE Hash start and HashHandle returned.=0D + @retval FALSE Hash Init unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashInitInternal (=0D + IN UINT8 HashPolicy,=0D + OUT HASH_HANDLE *HashHandle=0D + )=0D +{=0D + BOOLEAN Status;=0D + VOID *HashCtx;=0D + UINTN CtxSize;=0D +=0D + if (HashPolicy =3D=3D HASH_INVALID || HashPolicy >=3D HASH_MAX) {=0D + ASSERT (FALSE);=0D + }=0D +=0D + CtxSize =3D mHashApi[HashPolicy].HashGetContextSize ();=0D + HashCtx =3D AllocatePool (CtxSize);=0D + ASSERT (HashCtx !=3D NULL);=0D +=0D + Status =3D mHashApi[HashPolicy].HashInit (HashCtx);=0D +=0D + *HashHandle =3D (HASH_HANDLE)HashCtx;=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Update hash data with Hash Algorithm specified by HashPolicy.=0D +=0D + @param HashPolicy Hash Algorithm Policy.=0D + @param HashHandle Hash handle.=0D + @param DataToHash Data to be hashed.=0D + @param DataToHashLen Data size.=0D +=0D + @retval TRUE Hash updated.=0D + @retval FALSE Hash updated unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashUpdateInternal (=0D + IN UINT8 HashPolicy,=0D + IN HASH_HANDLE HashHandle,=0D + IN VOID *DataToHash,=0D + IN UINTN DataToHashLen=0D + )=0D +{=0D + BOOLEAN Status;=0D + VOID *HashCtx;=0D +=0D + if (HashPolicy =3D=3D HASH_INVALID || HashPolicy >=3D HASH_MAX) {=0D + ASSERT (FALSE);=0D + }=0D +=0D + HashCtx =3D (VOID *)HashHandle;=0D +=0D + Status =3D mHashApi[HashPolicy].HashUpdate (HashCtx, DataToHash, DataToH= ashLen);=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Hash complete with Hash Algorithm specified by HashPolicy.=0D +=0D + @param HashPolicy Hash Algorithm Policy.=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval TRUE Hash complete and Digest is returned.=0D + @retval FALSE Hash complete unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashFinalInternal (=0D + IN UINT8 HashPolicy,=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 **Digest=0D + )=0D +{=0D + BOOLEAN Status;=0D + VOID *HashCtx;=0D + UINT8 DigestData[SHA512_DIGEST_SIZE];=0D +=0D + if (HashPolicy =3D=3D HASH_INVALID || HashPolicy >=3D HASH_MAX) {=0D + ASSERT (FALSE);=0D + }=0D +=0D + HashCtx =3D (VOID *)HashHandle;=0D +=0D + Status =3D mHashApi[HashPolicy].HashFinal (HashCtx, DigestData);=0D + CopyMem (*Digest, DigestData, mHashApi[HashPolicy].DigestSize);=0D +=0D + FreePool (HashCtx);=0D +=0D + return Status;=0D +}=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibDxe.c new file mode 100644 index 000000000000..226c2d6a4aae --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -0,0 +1,100 @@ +/** @file=0D + This library is Unified Hash API. It will redirect hash request to=0D + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,= =0D + SHA384 and SM3...=0D +=0D +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include "BaseHashLibCommon.h"=0D +=0D +/**=0D + Init hash sequence.=0D +=0D + @param HashHandle Hash handle.=0D +=0D + @retval TRUE Hash start and HashHandle returned.=0D + @retval FALSE Hash Init unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiInit (=0D + OUT HASH_HANDLE *HashHandle=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D + HASH_HANDLE Handle;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashInitInternal (HashPolicy, &Handle);=0D +=0D + *HashHandle =3D Handle;=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Update hash data.=0D +=0D + @param HashHandle Hash handle.=0D + @param DataToHash Data to be hashed.=0D + @param DataToHashLen Data size.=0D +=0D + @retval TRUE Hash updated.=0D + @retval FALSE Hash updated unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiUpdate (=0D + IN HASH_HANDLE HashHandle,=0D + IN VOID *DataToHash,=0D + IN UINTN DataToHashLen=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataT= oHashLen);=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Hash complete.=0D +=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval TRUE Hash complete and Digest is returned.=0D + @retval FALSE Hash complete unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiFinal (=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 *Digest=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest);=0D +=0D + return Status;=0D +}=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibPei.c new file mode 100644 index 000000000000..43aa0f22277a --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -0,0 +1,103 @@ +/** @file=0D + This library is Unified Hash API. It will redirect hash request to=0D + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,= =0D + SHA384 and SM3...=0D +=0D +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include =0D +#include "BaseHashLibCommon.h"=0D +=0D +/**=0D + Init hash sequence.=0D +=0D + @param HashHandle Hash handle.=0D +=0D + @retval TRUE Hash start and HashHandle returned.=0D + @retval FALSE Hash Init unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiInit (=0D + OUT HASH_HANDLE *HashHandle=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D + HASH_HANDLE Handle;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashInitInternal (HashPolicy, &Handle);=0D +=0D + *HashHandle =3D Handle;=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Update hash data.=0D +=0D + @param HashHandle Hash handle.=0D + @param DataToHash Data to be hashed.=0D + @param DataToHashLen Data size.=0D +=0D + @retval TRUE Hash updated.=0D + @retval FALSE Hash updated unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiUpdate (=0D + IN HASH_HANDLE HashHandle,=0D + IN VOID *DataToHash,=0D + IN UINTN DataToHashLen=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataT= oHashLen);=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Hash complete.=0D +=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval TRUE Hash complete and Digest is returned.=0D + @retval FALSE Hash complete unsuccessful.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +HashApiFinal (=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 *Digest=0D +)=0D +{=0D + BOOLEAN Status;=0D + UINT8 HashPolicy;=0D +=0D + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy);=0D +=0D + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest);=0D +=0D + return Status;=0D +}=0D diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Includ= e/Library/BaseHashLib.h new file mode 100644 index 000000000000..4b939bbc2c79 --- /dev/null +++ b/SecurityPkg/Include/Library/BaseHashLib.h @@ -0,0 +1,85 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#include +#include +#include + +// +// Hash Algorithms +// +#define HASH_INVALID 0x00000000 +#define HASH_MD4 0x00000001 +#define HASH_MD5 0x00000002 +#define HASH_SHA1 0x00000003 +#define HASH_SHA256 0x00000004 +#define HASH_SHA384 0x00000005 +#define HASH_SHA512 0x00000006 +#define HASH_SM3_256 0x00000007 +#define HASH_MAX 0x00000008 + + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +); + +#endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/Security= Pkg/Library/BaseHashLib/BaseHashLibCommon.h new file mode 100644 index 000000000000..d8e2caa0bf8d --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h @@ -0,0 +1,141 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_COMMON_H_ +#define __BASEHASHLIB_COMMON_H_ + +/** + Init hash sequence with Hash Algorithm specified by HashPolicy. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +BOOLEAN +EFIAPI +HashInitInternal ( + IN UINT8 HashPolicy, + OUT HASH_HANDLE *HashHandle + ); + +/** + Hash complete with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashUpdateInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ); + +/** + Update hash data with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashFinalInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); + +/** + Retrieves the size, in bytes, of the context buffer required for hash op= erations. + + @return The size, in bytes, of the context buffer required for hash ope= rations. + +**/ +typedef +UINTN +(EFIAPI *HASH_API_GET_CONTEXT_SIZE) ( + VOID + ); + +/** + Start hash. + + @param HashCtx Hash Context. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED Unsupported Hash Policy specified. +**/ +typedef +BOOLEAN +(EFIAPI *HASH_API_INIT) ( + OUT VOID *HashCtx + ); + + +/** + Update hash data. + + @param HashCtx Hash Context. + @param Data Data to be hashed. + @param DataSize Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful or hash unsupported. +**/ +typedef +BOOLEAN +(EFIAPI *HASH_API_UPDATE) ( + IN OUT VOID *HashCtx, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +/** + Hash complete. + + @param HashCtx Hash Context. + @param Digest Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +typedef +BOOLEAN +(EFIAPI *HASH_API_FINAL) ( + IN OUT VOID *HashCtx, + OUT UINT8 *Digest + ); + +typedef struct { + HASH_API_GET_CONTEXT_SIZE HashGetContextSize; + HASH_API_INIT HashInit; + HASH_API_UPDATE HashUpdate; + HASH_API_FINAL HashFinal; + UINTN DigestSize; +} HASH_API_INTERFACE; + +#endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.inf new file mode 100644 index 000000000000..94a497d91e78 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -0,0 +1,46 @@ +## @file=0D +# Provides hash service by registered hash handler=0D +#=0D +# This library is Base Hash Lib. It will redirect hash request to each in= dividual=0D +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.=0D +#=0D +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D BaseHashLibDxe=0D + MODULE_UNI_FILE =3D BaseHashLibDxe.uni=0D + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE066= =0D + MODULE_TYPE =3D DXE_DRIVER=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_DR= IVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64=0D +#=0D +=0D +[Sources]=0D + BaseHashLibCommon.h=0D + BaseHashLibCommon.c=0D + BaseHashLibDxe.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + CryptoPkg/CryptoPkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D + BaseCryptLib=0D + PcdLib=0D +=0D +[Pcd]=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.uni new file mode 100644 index 000000000000..53e025918828 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni @@ -0,0 +1,17 @@ +// /** @file=0D +// Provides hash service by registered hash handler=0D +//=0D +// This library is Unified Hash API. It will redirect hash request to each= individual=0D +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to=0D +// mask some hash engines.=0D +//=0D +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
= =0D +//=0D +// SPDX-License-Identifier: BSD-2-Clause-Patent=0D +//=0D +// **/=0D +=0D +=0D +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by specified hash handler"=0D +=0D +#string STR_MODULE_DESCRIPTION #language en-US "This library is U= nified Hash API. It will redirect hash request to the hash handler specifie= d by PcdSystemHashPolicy."=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.inf new file mode 100644 index 000000000000..1eea1d80b29d --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -0,0 +1,51 @@ +## @file=0D +# Provides hash service by registered hash handler=0D +#=0D +# This library is BaseCrypto router. It will redirect hash request to eac= h individual=0D +# hash handler registered, such as SHA1, SHA256, SM3.=0D +#=0D +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D BaseHashLibPei=0D + MODULE_UNI_FILE =3D BaseHashLibPei.uni=0D + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50B= =0D + MODULE_TYPE =3D PEIM=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D BaseHashLib|PEIM=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64=0D +#=0D +=0D +[Sources]=0D + BaseHashLibCommon.h=0D + BaseHashLibCommon.c=0D + BaseHashLibPei.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D + CryptoPkg/CryptoPkg.dec=0D + MdeModulePkg/MdeModulePkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D + BaseCryptLib=0D + PcdLib=0D +=0D +[Guids]=0D + ## SOMETIMES_CONSUMES ## GUID=0D + gZeroGuid=0D +=0D +[Pcd]=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.uni new file mode 100644 index 000000000000..a1abcc1cdfa0 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni @@ -0,0 +1,16 @@ +// /** @file=0D +// Provides hash service by registered hash handler=0D +//=0D +// This library is Unified Hash API. It will redirect hash request to each= individual=0D +// hash handler registered, such as SHA1, SHA256.=0D +//=0D +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
= =0D +//=0D +// SPDX-License-Identifier: BSD-2-Clause-Patent=0D +//=0D +// **/=0D +=0D +=0D +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by specified hash handler"=0D +=0D +#string STR_MODULE_DESCRIPTION #language en-US "This library is U= nified Hash API. It will redirect hash request to the hash handler specifie= d by PcdSystemHashPolicy."=0D diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 5335cc53973a..b40199da8211 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -5,7 +5,7 @@ # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and lib= rary classes)=0D # and libraries instances, which are used for those features.=0D #=0D -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
=0D # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
=0D # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D @@ -27,6 +27,10 @@ [LibraryClasses] #=0D HashLib|Include/Library/HashLib.h=0D =0D + ## @libraryclass Provides hash interfaces from different implementatio= ns.=0D + #=0D + BaseHashLib|Include/Library/HashLib.h=0D +=0D ## @libraryclass Provides a platform specific interface to detect phys= ically present user.=0D #=0D PlatformSecureLib|Include/Library/PlatformSecureLib.h=0D @@ -500,5 +504,22 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.=0D gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023=0D =0D +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]=0D + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF imag= e=0D + # Based on the value set, the required algorithm is chosen to verify=0D + # the unsigned image during Secure Boot.
=0D + # The hashing algorithm selected must match the hashing algorithm used = to=0D + # hash the image to be added to DB using tools such as KeyEnroll.
=0D + # 0x00000001 - MD4.
=0D + # 0x00000002 - MD5.
=0D + # 0x00000003 - SHA1.
=0D + # 0x00000004 - SHA256.
=0D + # 0x00000005 - SHA384.
=0D + # 0x00000006 - SHA512.
=0D + # 0x00000007 - SM3_256.
=0D + # @Prompt Set policy for hashing unsigned image for Secure Boot.=0D + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00010024= =0D +=0D [UserExtensions.TianoCore."ExtraFiles"]=0D SecurityPkgExtra.uni=0D diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file=0D # Security Module Package for All Architectures.=0D #=0D -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
=0D # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.in= f=0D Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf=0D RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf=0D + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf=0D =0D [LibraryClasses.common.DXE_DRIVER]=0D HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf=0D Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in= f=0D FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf= =0D + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf=0D =0D [LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIV= ER, LibraryClasses.common.DXE_SAL_DRIVER,]=0D HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D @@ -211,6 +213,12 @@ [Components] =0D SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf=0D =0D + #=0D + # Unified Hash API=0D + #=0D + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf=0D + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf=0D +=0D #=0D # TCG Storage.=0D #=0D diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 68587304d779..41a60f7ec22d 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -5,7 +5,7 @@ // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and lib= rary classes)=0D // and libraries instances, which are used for those features.=0D //=0D -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
= =0D +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
= =0D //=0D // SPDX-License-Identifier: BSD-2-Clause-Patent=0D //=0D @@ -295,3 +295,16 @@ =0D #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #lang= uage en-US "This PCD defines LASA of TPM2 ACPI table\n\n"=0D = "0 means this field is unsupported\n"=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #lan= guage en-US "HASH algorithm to verify unsigned PE/COFF image"=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #langu= age en-US "This PCD indicates the HASH algorithm used by Unified Hash API.<= BR>
\n"=0D + = "Based on the value set, the required algorithm is chosen to = calculate\n"=0D + = "the hash desired.
\n"=0D + = "0x00000001 - MD4.
\n"=0D + = "0x00000002 - MD5.
\n"=0D + = "0x00000003 - SHA1.
\n"=0D + = "0x00000004 - SHA256.
\n"=0D + = "0x00000005 - SHA384.
\n"=0D + = "0x00000006 - SHA512.
\n"=0D + = "0x00000007 - SM3.
"=0D --=20 2.16.2.windows.1